A philosophy, not a product
"Zero trust" has been marketed so hard that it now sounds like something you buy — a platform, an appliance, a logo on a slide. Strip the marketing away and it is a single, durable idea: stop granting trust based on where a request comes from, and start verifying who and what is behind every request, every time. The old model said "inside the network is safe, outside is hostile," and drew a wall between them. That model died the day your team scattered to laptops in apartments and your data moved into a dozen SaaS tools. There is no inside anymore. Zero trust is simply the honest response to that fact.
For a lean team this is liberating, because it means you do not need to write a check to a "zero trust vendor" to start. You need to apply one rule consistently — never trust, always verify — to the controls you are mostly building already. Much of zero trust is less a new project than a way of connecting the identity, access, and segmentation work you have in flight.
The three questions every request should answer
A request to reach a system — a person opening an admin panel, a service calling an API — should be allowed only after it answers three questions, and re-answers them rather than coasting on a one-time login:
- Who are you? Strong, phishing-resistant identity is the foundation. If you cannot trust the identity behind a request, nothing else in the model holds. This is why single sign-on — one hardened, monitored, instantly-revocable front door — is the natural backbone of a lean zero-trust posture rather than a separate effort.
- What are you coming from? A verified identity on a compromised laptop is still a problem, so device health matters: is this an enrolled, encrypted, patched endpoint, or an unknown machine? Conditional access that checks device posture before granting entry is the practical heart of zero trust.
- What exactly do you need? Even a trusted identity on a trusted device should get the minimum access for the task and nothing more. This is least privilege restated as an access-decision rule, and it is what limits the blast radius when — not if — something is compromised.
The shift is that these checks happen at the moment of access, per resource, instead of once at a network boundary that then waves everything through.
Retiring the flat network and the all-access VPN
The most concrete zero-trust move a lean team can make is to stop treating "on the VPN" as a synonym for "trusted." A traditional VPN drops a user onto the flat internal network and lets them reach everything — exactly the flat-network problem that turns one compromised laptop into the whole company. Zero-trust network access (ZTNA) inverts this: instead of placing the user inside a network, it brokers a verified connection to one specific application, after checking identity and device, and grants nothing else.
You do not have to rip out everything at once. The high-leverage steps are incremental:
- Put your most sensitive internal apps behind an identity-aware proxy so reaching them requires a verified identity and a healthy device, not just network position.
- Segment so that "inside" is no longer one trust zone. Even modest segmentation means a foothold in one place does not imply access everywhere — the same containment logic, applied to access decisions.
- Verify continuously, not once. Sessions should re-check posture and expire, so a device that falls out of compliance mid-session loses access rather than coasting on a stale grant. This is the access-layer version of continuous verification.
Don't forget the non-human requests
Zero trust is usually pitched in terms of people, but most requests in a modern system come from software. Your service accounts and non-human identities — the API keys, CI runners, and integrations moving data between systems — deserve the same scrutiny: scoped to the minimum, credentials kept short-lived and rotated, and their access logged. A long-lived, over-permissioned API key sitting in a config file is the antithesis of zero trust, and a favorite path for an attacker who never needs to phish anyone.
A posture you can verify and prove
Zero trust is not a switch you flip — it is a set of dimensions you can measure and watch for drift. Is every sensitive app behind identity-aware access, or did a new internal tool ship on the flat network? Is device-health checking actually enforced, or quietly bypassed for the founder's convenience? A new route that skips the proxy, a VPN rule that reopens broad access, a service account that grows permissions — each is a finding routed to an owner with a severity set by what it exposes, using the same exposure-first triage as the rest of your program. "Are our access decisions actually verifying identity and device?" is a continuously verified dimension of your posture score, not a one-time architecture diagram.
It also reads well to buyers and assessors. "Describe your access-control model" and "how do you protect internal applications?" are standing items on the security questionnaires enterprise customers send, and zero-trust thinking maps cleanly onto the access-control expectations in frameworks named on those questionnaires — SOC 2's logical-access criteria, ISO 27001's access-control domain. Your SSO coverage, device-health enforcement, segmentation map, and the access-related findings you have closed are exactly the evidence they want, kept current in the same continuous loop as everything else.
One honest caveat: a platform can help you track whether your zero-trust controls are actually in place — SSO and MFA coverage, device-health enforcement, least-privilege and segmentation state — surface the gaps as findings, and keep that evidence current for an auditor or a customer; it organizes, tracks, and proves the work. It does not broker your connections, enforce conditional access, configure your identity-aware proxy, make you compliant, or grant or guarantee any certification; the identity, device, and access architecture are operational steps your team owns, and which control obligations apply to you is a question for counsel. "Zero trust" here describes an architecture you build, not a certification anyone confers.
Zero trust is not a product you buy; it is the rule that you stop trusting the network and verify identity, device, and need on every request. For a lean team it is mostly a way of connecting the SSO, MFA, least-privilege, and segmentation work you already have — retire the all-access VPN, put sensitive apps behind verified access, scope the non-human callers too, and treat "are we actually verifying?" as a posture dimension you watch, not a diagram you draw once.